Description
Three high-impact UEFI security vulnerabilities have been discovered in multiple Lenovo consumer laptop models, allowing malicious actors to deploy and execute firmware implants on the afflicted devices.
Summary
The CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972 vulnerabilities concern firmware drivers that were intended to be utilized solely during the manufacturing of Lenovo consumer notebooks, but they were mistakenly included also in the production BIOS images without being properly deactivated.
How it Works
The first of the three vulnerabilities could allow a local attacker to run arbitrary code with elevated privileges, while the others could allow an attacker to disable the protection for the SPI flash memory chip where the UEFI firmware is stored, as well as turn off the UEFI Secure Boot feature, which ensures that the system only loads code trusted by the Original Equipment Manufacturer at boot time (OEM). Due to these vulnerabilities an attacker will have the ability to effectively install persistent malware that can survive system reboots.
To see a list of products affected by these vulnerabilities you can follow this URL:
https://support.lenovo.com/gy/en/product_security/len-73440#Lenovo%20Notebook
Remediation
In order to mitigate these vulnerabilities users are asked to update their firmware at the following link:
https://support.lenovo.com/gy/en/product_security/len-73440
The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.
PDF Download: Lenovo UEFI Firmware Driver bugs.pdf
References
Lakshmanan, Ravie. (19th April 2022). New Lenovo UEFI Firmware Vulnerabilities Affect Millions of Laptops. Retrieved from The Hacker News. https://thehackernews.com/2022/04/new-lenovo-uefi-firmware.html
Ilascu, Ionut. (19th April 2022). Lenovo UEFI firmware driver bugs affect over 100 laptop models. Retrieved from Bleeping Computer. https://www.bleepingcomputer.com/news/security/lenovo-uefi-firmware-driver-bugs-affect-over-100-laptop-models/